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(54) System and method of biometric smart card user authentication 



(57) A system and method for authenticating a 
smart card user (54) at a reader device (64) makes use 
of an application (56) on a smart card mtcrop recesses 
(80) on which information fisids (56) relating to biometric 
information for the user and a table of predefined prob- 
ability of occurrence values for user authentication is 
stored. The smart card (62) and a biometric sample f 
the user is presented to the reader device (64), and 
application associated with the reader device automat- 
ically authenticates the user base on a match level be- 



Iween the stored biometric information and the present- 
ed biometric sample according to a desired probability 
of occurrence value from the stored table, Alternatively, 
the user (54) is automatically authenticated by an appli- 
cation (5B) on the smart card microprocessor (60). The 
reader device reads Ihe presented biometric sample, 
automatically presents what is read to ihe smart card 
application, and the smart card application then authen- 
ticates the user according to the threshold match score 
from Ihe stored table that corresponds to the desired 
probability of occurrence value. 
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Description 

Cross Reference to Related Applications 

[0001] This application claims the benefit of U.S. Pro- 
visional Patent Application Serial No. 60/084,922 filed 
May 11, 1999. 

Field of the Invention 

[0002] The present inversion relates to smart card se- 
curity aid more particularly to a system and method of 
biometrie authentication of a smart card user. 

Background 

[0003] Authentication is the process by which an en- 
tity, such as a financial institution or bank or other type 
q[ institution, identifies arid verifies its customers or us- 
ers to itseif and itself to its customers or users. Authen- 
tication includes the use of physical objects, such as 
cards and/or keys, shared secrets, such as personal 
identification numbers (PIN's) and/or passwords, and 
biometrie technologies, such as voice prints, photos, 
signatures and/or fingerprints. Biometrie tasks include, 
for example, an identification task and a verification 
task. The verification task determines whether or not the 
individual claiming an identity is the individual whose 
identity is being claimed. The identification task deter- 
mines whether the biometrie signal, such as a finger- 
print, matches that of someone already enrolled in the 
system. 

[0Q04] Typically, biometrie systems have a common 
methodology, regardless oi their rnodaiity, such as fin- 
gerprint, face, voice, or the like. A person enrolls by do- 
nating some number of samples of the biometrie. From 
these samples, the biometrie system creates a model of 
the particular individual's patterns, which is relerred to 
as a template. When the person attempts to access the 
system, the application collects new data, in a verifica- 
tion application, the individual claims an identity, and the 
application retrieves the individual's model from a data- 
base and compares the new signal to the retrieved mod- 
el. The result of this comparison is a match score, which 
indicates how well the new signal matches the template. 
The application then compares the match score ob- 
tained with a pre-defined threshold and decides whether 
lo allow or deny access to the individual or, for example, 
to ask the individual for more data. 
[0005] Various authentication parameters are used by 
secu rity systems to verify a valid cardhoide r and to grant 
the cardholder access to a secured resource. Informa- 
tion parameters, such as PiN's, can be readily read and 
processed by a card reader according to a system ver- 
ification algorithm. However, information can be com- 
promised, so that many authentication systems also re- 
quire person-unique biometrie parameters, such as fin- 
gerprints, or relinai images. In such authentication sys- 
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terns, cardholder bio-specimens are stored in digital for- 
mat in the system computer. During authentication the 
system obtains the information parameters, for exam- 
ple, from the card, and the biometrie parameters tram 
s the person and matches both to the system-stored val- 
ues- For a fingerprint, for example, there are fourteen 
points and interpoint distances that the biometrie reader 
compares and, depending on the match score, grants 
or denies access, 
i o [0006] The required matcfi score is a function of a pre- 
selected security level and is set by the application de- 
signer. However, the image acquisition tolerances, as 
well as changes in the person's biometrie parameter, 
such as a finger cut on the referenced fingerprint, cause 
75 false acceptances, such as accepting an impostor 
(False Accept or FA), and false rejections, such as re- 
jecting a valid user (False Reject or FR). Manufacturers 
of biometrie readers or application developers provide 
performance histograms, which are distributions oi the 
so empirical number of valid acceptances and valid rejec- 
tions provided by the reader. To the extent the distribu- 
tions overlap, there are regions of false rejections ol val- 
id users or FR and false acceptance of impostors or FA. 
tn setting the system parameters, application designers 
25 attempt to set a threshold authentication match score 
which balances these tolerances against efficiency (or 
a given application. 

[0007] The selected threshold match score is based 
on the desired probability oS occurrence or non-occur- 
30 rence of a FA and/or FR, and the performance histo- 
grams quantify the probability of occurrence of FA and 
FR. These probabilities are inverse, in that by increasing 
the threshold score to reduce the Probability of FA or P 
(FA), the Probability of FR or P(FR) is increased. Con- 
ss verse iy, decreasing the threshold to reduce the Proba- 
bility of FR or P(FR) increases the Probability of FA or 
P(FA). 

[0008] In a given application the selected threshold is 
coded into the reader software, and system perform- 
40 ance is observed. If actual system efficiency is unac- 
ceptable due to a False Reject Rate (FRR) thai is too 
high, the threshold score is reduced, and if unaccepta- 
ble due to a False Accept Rate (FAR) that is too high, 
the threshold is Increased. Each time the threshold 
*3 score changes, it must be receded into the reader sys- 
tem software. Similarly, with each new reader model or 
new release, the threshold score must be changed in 
accordance with the new model histograms and possi- 
bly changed again following actual performance evatu- 
so ation. Each re-coding of the threshold value generally 
requires a new system software release, together with 
the time and labor required to install the new software. 

Summary of the Invention 

ss 

[0009] It is a feature and advantage ol the present in- 
vention to provide a system and method o! biometrie 
smart card user authentication which automatically ad- 
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justs the probability of occurrence or non-occurrence of 
false acceptance of an impostor and false rejection of a 
valid user without the necessity of reprogramming the 
reader system software. 

[001 0] It is a further feature and advantage of the 
present invention of provide a system and method of bi- 
ometric smart card user authentication in which the per- 
formance of the biometric technology is independent of 
where the system positions the threshold lor false ac- 
ceptance and false rejection. 
[00111 !t is another feature and advantage of the 
present invention to provide a system and method of bi~ 
ometrtc smart card user authentication which makes the 
card application more secure, thereby reducing the risk 
ol fraudulent or unauthorized use and allowing for high- 
er-value appiications 

[001 2] It is an additional feature and advantage of the 
present invention to provide a system and method of bi- 
ometric smart card user authentication which simplifies 
application design requirements by putting the user's bi- 
ometric template on the card, thereby eliminating or 
greatly reducing network traffic. 
[001 3] Its still another feature and advantage of the 
present invention to provide a system and method of bi- 
ometric smart card user authentication which enhances 
security and privacy by eliminating the necessity of 
transmitting the user's biometric template around to dif- 
ferent locations where it is needed. 
[0014] It is a still further feature and advantage of the 
present invention to provide a system and method of bi- 
ometric smart card user authentication which allows ap- 
plication designers to set operating thresholds as tightly 
or as looseiy as is appropriate for the particular risk in- 
volved. 

[0015] It is also a feature and advantage of the 
present invention to provide a system and method of bi- 
ometric smart card user authentication with a flexible ar- 
chitecture format for storing biometrics on the smart 
card that is independent of application or biometric 
methodology or vendor, 

[001 6J It is stiil an additional feature and advantage of 
the present invention to provide a system and method 
of biometric smart card user authentication which sup- 
ports different methods, vendors, and releases, and al- 
lows for flexibility of application deployment. 
[0017] it is another feature and advantage of the 
present invention to provide a system and method of bi- 
ometric smart card user authentication in which the user 
is automatically authenticated by an application on the 
smart card. 

[0018] it is an additional feature and advantage of the 
present invention to provide a method and system of bi- 
ometric smart card user authentication in which the cus- 
tomer's use of the smart card in a transaction ties the 
customer undeniably to the transaction and makes the 
transaction non-reputiatabie. 

[0019] To achieve the stated and other features, ad- 
vantages and objects of the present invention, the sys- 



tem and method for authenticating a smart card user at 
a reader device of an embodiment ol the present inven- 
tion includes storing information fields for the user on 
the smart card relating to biometric information for the 
s user, aiso referred to as a biometric template. The bio- 
metric template includes at least one model of biometric 
patterns lor the user, such as the user's voice print, pho- 
tograph, signature, fingerprint, hand geometry, retinal 
image or iris scan. The information fields also include a 
w table of pre-defined probability of occurrence values for 
user authentication, as well as personal data for the us- 
er, identification of a biometric system, and a hashed 
data field. The information fields are stored in an appli- 
cation on a microprocessor ot the smart card. 
is [0020] In an embodiment of the present invention, 
storing the information fields relating to the table of pre- 
defined probability of occurrence values involves auto- 
matically assigning a probability of occurrence value to 
each of a plurality of pre-defined range limit values, 
so which are automatically identified for each of a plurality 
of value ranges of biometric reader device match 
scores. Identifying the range limit values involves auto- 
matically tabulating a performance histogram distribu- 
tion of biometric reader device match scores for false 
25 acceptance of an impostor and false rejection of a valid 
user into a plurality of value ranges. Tabulating the per- 
formance histogram distribution involves automatically 
quantifying the performance histogram intodiscrefe lev- 
els of biometric reader device match scores and a u lo- 
ad maltcaily assigning the probability o! occurrence value 
for each of the discrete levels of the biometric reader 
device match scores. 

[0021] In an embodiment of the present invention, the 
smart card, together with a biometric sample tor the us- 

35 &f, are presented to the reader device, which Is associ- 
ated with a terminal, such as at least one ol an area 
access terminal, a computer network terminal, a com- 
puter access terminal, a stored value terminal, a mone- 
tary access terminal, a PBX terminal, a long distance 

40 terminal, a personal computer, a laptop computer, a per- 
sonal digital assistant, a public internet terminal, and an 
automated teller machine. The presented biometric 
sample is, for example, at least one of a voice print, pho- 
tograph, signature, fingerprint, hand geometry, retina! 

*s mage, and an iris scan, 

[0022] In an embodiment of the present invention, the 
user is automatically authenticated by the reader device 
based at least in part on a match level between the 
stored biometric information and the presented biomet- 

so ric sample according to a desired probability ol occur- 
rence V8 i ue f ro m the stored table. The desired probabil- 
ity ol occurrence vaiue is pre-selected by pre-defining a 
desired probability of occurrence value (or false accept- 
ance of an impostor and false rejection of a valid user 

s$ and pre-defining an instruction set which directs the 
reader device to look to the stored table of probability ol 
occurrence values for a faise acceptance of an impostor 
and false rejection ol a valid user threshold match score 
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corresponding to the desired probability of occurrence 
value. The user authentication is performed by an ap- 
plication associated with the reader device and residing 
on the reader device and/or the terminal. 
[0023] Alternatively, in an embodiment of the present 
invention, in order to provide enhanced security, the us- 
er is automatically authenticated by an application on 
the smart card. For example, the reader device reads 
the presented biometric sample and automatically 
presents what is read by the reader device to the smart 
card application. The smart card application then au- 
thenticates the user according to the threshold match 
score from the table on the smart card application that 
corresponds to the desired probability of occurrence val- 

[0024] Additional objects, advantages and novel fea- 
tures ol the present invention wiil be set forth in part in 
the description which follows, and in part will become 
more apparent to those skilled in the art upon examina- 
tion ol the following or may be learned by practice of the 
invention. 

Brief Description of the Drawings 
[0025] 

Fig. 1 is a table which illustrates examples of types 
of data used in measuring biometrics performance 
for an embodiment of the present invention; 
Fig, 2 shows a sample biometric reader device per- 
formance histogram lor an embodiment of the 
present invention; 

Fig. 3 is a table which illustrates four possible out- 
comes of a single biometric reader device trial for 
an embodiment of the present invention; 
Fig. 4 is a diagram which illustrates an example ol 
a receiver operating characteristic (ROC) curve tor 
an embodiment of the present invention; 
Fig. 5 is a flow chart which shows somewhat sche- 
matically an overview of the key components and 
the flow of information between the key compo- 
nents for an embodiment of the present Invention; 
Fig. S is a table which illustrates examples ol the 
type of data stored on the smart card for an embod- 
iment of the present invention; 
Fig. 7 is a table which shows a sample probability 
look-up table tor an embodiment of the present in- 
vention; and 

Fig. 8 is a flow chart which provides further detail 
regarding the process of authenticating a user 
through match scoring of a sample biometric ob- 
tained from the user by a biometric reader device 
for an embodiment of the present invention. 

Detailed Description 

[0026] Referring now indetailtoan embodiment of the 
presenl invention, an example of which is frustrated in 
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the accompanying drawings, a number of methods can 
be used to quantitatively measure biometrics perform- 
ance. Fig. 1 is a table which illustrates examples of types 
of data used in measuring biometrics performance lor 
s an embodiment of the present invention. The types of 
data include, for example, performance histogram 2, 
False Accept Rate (FAR) and False Reject Rate (FRR) 
4, Equal Error Bate (EER) 6, Failure to Acquire (FTA) 8, 
and *d" and Receiver Operating Characteristic (ROC) 
10 plots 10. 

[0027] A basic way to look at data for quantitatively 
measuring the performance of biometrics is to inspect 
the performance histogram 2. Each time a trial is per- 
formed, the system returns a match score which is plot- 
is ted in the histogram 2. Fig. 2 illustrates a sample bio- 
metric reader device performance histogram for an em- 
bodiment of the present invention. The histogram 2 has 
the match score 1 2 on the x-axis 1 4, from low scores 1 8 
toward the left side of the histogram to high scores 18 
so toward the right side o! the histogram. The number of 
cases attempted 20 is shown on the y-axis 22 of the his- 
togram 2, Valid users 24 have higher match scores 18 
and are shown on the right side of the histogram 2, Dis- 
tributions vary from device fo device, bul are commonly 
25 normaliy distributed as bell curves 26 and 28, impostors 
30 have lower scores 16 and are shown on the left side 
of the histogram 2. Note also that there are usually fewer 
impostors 30 than valid users 24. 
[0028] Referring further to Fig. 2, the vertical line on 
so the histogram, which separates the two distributions of 
scores 26, 28, is known as the threshold 32. if a user 
scores higher than the threshold 32, the user is accept- 
ed, but if the user scores lower than the threshold, the 
user is rejected. There are four possible outcomes of a 
3£ single trial. Fig. 3 is a table with illustrates the four pos- 
sible outcomes of a single biometric reader device triat 
for an embodiment of the present invention. The lour 
possible outcomes include, for example, Correct Accept 
34 of a customer, Correct Reject 36 o! an impostor, 
40 False Accept or FA 38 of an impostor, and False Reject 
or FR 40 of a customer. The percentage of cases in the 
False Accept or FA 38 outcome is called the Faise Ac- 
cept Rate (FAR), and the percentage of cases in the 
False Reject or FR 40 outcome is caiied the False Reject 
■w Rate (FRR), 

[0029] Referring again to Fig. 2, if the threshold 32 is 
repositioned toward the left side of the histogram 2, few- 
er PR's 40 occur, but more FA's 38 occur. I! the threshold 
32 is repositioned toward the right side of the histogram 
£f 2, more FR's 40 occur, but fewer FA's 38 occur. This is 
the essential tradeoff made in the context of an applica- 
tion lor an embodiment of the present invention. An im- 
portant aspect of an embodiment of the present inven- 
tion is that the system and method of the present inven- 
ss Won automatically moves the threshold, and the per- 
formance of the biometric technology is independent ol 
where the application positions the threshold 32. 
[0030] The system and method for an embodiment ol 
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the present invention moves the threshold 32 according 
lo the objectives of greater security or rejecting fewer 
customers. Referring likewise to Fig. 2, if the objective 
is greater security, the threshold 32 is moved to a higher 
position. If the objective is to reject fewer customers, the 
threshold 32 is moved to a lower position. Therefore, 
comparing a system which has, for example, a stated 
performance level of t percent FAR and 10 percent FRR 
with another system that has, for example, a perform- 
ance levef of 2 percent FAR and 8 percent FRR is anal- 
ogous to comparing apples with oranges. 
[0031] Different organizational constituencies typical- 
ly have different perspectives of the FRR and FAR. For 
example, a security professional may prefer to know 
what the FRR will be if the FAR is set to 0 percent, while 
a marketing professional may wish to know what the 
FAR will be if the FRR is set to 0 percent. The number 
that is disposed in the middle is the Equal Error Rate 
(ERR). To address the aspect of movable thresholds, 
another method of quoting performance is the EER. Re- 
ferring further to Fig. 2, to find the EER, the threshold 
32 is set so that the percentage of FAR equals the per- 
centage of FRR, and 1he overall error is calculated. For 
example, if the threshold 32 is set so that 5 percent of 
vaiid users 24 are rejected and 5 percent of impostors 
30 are accepted, the overall EER is 5 percent. This is 
the outcomes table of a 5 percent EER. 
[0032] Another measure of biometrics performance is 
called Failure to Acquire (FTA) 3, which is the failure of 
the system to find a signal lo analyze. For example, in 
the fingerprint area, this is known as the 'presentation 
problem.' if a user does not place the user's finger on 
the scanner with the right orientation, or if the user 
moves the user's finger while the system is scanning, 
the resulting image cannot be processed. Likewise, in 
a speech system, if the user does not speak loudly 
enough, or if there is line noise or a bad connection, the 
system can fail to find the words. In a face verification 
system, the system may not be able to find a head in 
the proper frame it expects, and hence fails to acquire 
the photo. FTA 8 is often a result of human factor prob- 
lems, mainly dye to the amount of training a user may 
have or the amount of work a user must do to make the 
biomalrto work. 

[0033] A numerical description of the degree of sep- 
aration of two distributions, such as the scores ol the 
valid users 24 and the scores of the impostors 30, known 
as "d 1 ," is available from statistical decision and signal 
detection theory, and is reiated to the Naynrsan-Pearson 
equations describing distributions. It is defined accord- 
ing to the equation: 

d' = fm2 - miysqrt [ sdt 2 + sd2 Z }!2\ 

in which "d 1 " is equal to the difference between the 
means of the distributions divided by the square root of 
the average of the squares of the standard deviations 



of the distributions. 

[0034] Fig. 4 is a diagram which illustrates an example 
of a receiver operating characteristic (ROC) curve 42 for 
an embodiment of the present invention. Referring to 
s Fig. 4, the Probability of Fa!seRejectorP(FR)44isplot- 
ted on the y-axis 46, and the Probability of False Accept- 
ance or P(FA» 48 is plotted on the x-axis 50. As previ- 
ously mentioned, there is a tradeoff by moving the 
threshold, for example, higher and rejecting more valid 
10 users 23 but also keeping out more impostors 3D, This 
tradeoff is shown as the ROC curve 42, In the ROC 
curve 42, points near the origin (0, 0} 52 represent op- 
erating the biometric with some FA 38 and FR 40, 
whereas points at the ends of She Sine represent thresh- 
15 oids which are set very high or very low. For example, 
the threshold can be set high, such that P(FA) 48 is tow 
and P{FR) 44 is high, or the threshold can be set bw, 
such that P{FA) 4B is high while P(FR) 44 is low. 
[0035] Fig. 5 is a flow chart which shows somewhat 
so schematically the key components and the flow of infor- 
mation between the key components for an embodiment 
of the present invention. Referring to Fig. 5, the system 
and melhod for biometric authentication of a smart card 
user 54 for an embodiment of the present invention in- 
2B votves storing certain information fields 56 in an appli- 
cation 58 on a microprocessor 60 embedded in the 
smart card 62, along with a biometric sampie 64 itself. 
The informalion fields 58 include system identification 
and personal data, as well as a hashed data field, which 
30 is decoded by Ehe system during the authentication 
process to certify the Integrity of the informatbn param- 
eters. 

(0036] Referring further to Fig. 5, additionally, the ap- 
plication 58 on the smart card 62 includes a probability 
35 took- up table 66 which quantifies a reader device per- 
formance histogram distribution into discrete ieveis of 
match score 1 2 and assigns a corresponding probability 
factor to each level lor both false acceptances of impos- 
tors 30 andfalse rejections of vaiid users 24. The system 
40 reader device 68 is programmed with a desired Proba- 
bility of False Acceptances of P(FA)'s 48 and False Re- 
jections or P(FR)'s 44. The system readerSB isaiso pro- 
grammed with an instruction routine that tells thesystem 
signal processor to look to the probability look-up table 
45 66 on the card 62 to determine the false acceptances 
or false rejections threshold match score corresponding 
to the desired probability factor, to be used for authen- 
tication. 

[0037] An embodiment of the present invention pro- 
so vides an architecture which allows flexibility in applica- 
tion design. Since application requirements vary m 
terms of risk, user populations, channel properties and 
cost, the system and method for an embodiment of the 
present invention supports a wide range of these prop- 
55 erties. Biometric technology provides a type of security 
that is qualitatively different from that provided by token- 
basBd methods and information based methods. Token 
based methods make use of something that a user has, 
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such as the card itself, and information-based methods 
utilize something that the user knows, such as a PIN or 
password. Biometric technology for an embodiment of 
the present invention can be used in addition to these 
other methods or by itself. 

[0038] in embodiment of the present invention, the 
use of biometric technology in conjunction with the 
smart card 62 makes the card application 58 more se- 
cure, thereby reducing the risk of fraudulent or unau- 
thorized use. This allows for the implementation o! high- 
er-valued applications. Further, such use of biometric 
technology provides for non-repudiation of a transaction 
by the user 54 using the user's smart card 62, so the 
user cannot deny a transaction performed by the user 
with the smart card, in other words, use of btometric 
technology in conjunction with the smart card 62 unde- 
niably ties the user 54 1o use of the smart card by the 
user. In addition, by putting the biometric template 64 
on the card 62, application design requirements are sim- 
plified, since network traffic is eliminated or greatly re- 
duced. This also enhances security and privacy, since 
it is unnecessary to transmit the template 64 around to 
different locations where it is needed. 
[0X139] The system and method for an embodiment of 
the present invention has numerous applications, such 
as secure area access, computer network and computer 
access, stored value or other monetary access, PBX 
and long distance access. Each of such applications has 
different requirements in terms of risk, environment, us- 
er, channel and cost. In terms of risk, a transaction 
which, for example, transfers a million dollars to a num- 
bered Swiss bank account has a higher risk than one 
which simpiy returns a user's bank account balance. 
Gaining access, for example, to a nuclear weapons fa- 
cility or to war plans or lists of secret agents carries a 
greater risk 1han gaining access to an officer's club or 
DISNEY WORLD. An objective of the application de- 
signer is to set application operating thresholds as tight- 
ly or as loosely as is appropriate for the particular risk 
involved. 

[0040] in terms of environment an office environment 
is different, tor example, from an outdoor setting in a 
public space or a freezing bofder crossing station. While 
a face verification system works well, lor example, in an 
office environment, it may not work in a public space 
where the lighting and background is uncontrolled. Like- 
wise, a hand geometry unit wilt not work well at the freez- 
ing border station, unless healed in some way, but a 
speaker verification system may work. In regard io the 
user, if a user uses a particular system frequently, the 
user soon becomes habituated to the system. Since hu- 
man factors are an important part of overall system per- 
formance, a habituated user typically obtains better sys- 
tem performance than an unhabituated user on any giv- 
en bbmetfic. Some biometric methods are easier to 
(earn and faster to use than others, so the type of user 
that is anticipated is an important factor in the selection 
and deployment of a biometric. 



[0041] In terms of channel, some biometrics are more 
appropriate than others, depending on the channel o1 
use. For example, for long distance or cell phone ac- 
cess, speaker verification is more natural and efficient 
5 than, for example, fingerprinting. Secure area access 
method choice depends on the environment, but signa- 
ture verification may be more difficult than a camera 
based method, given the fact that the user may be car- 
rying packages or the like and standing, or the user may 
w be in a wheelchair. However, for a point of sale terminal, 
if a signature is required in a credit card transaction an- 
yway, and if the merchant is moving to a paper-less busi- 
ness and the terminal has a pressure sensitive tablet for 
signature capture, then signature verification may be the 
?£ most appropriate biometric method, 

[0042] Other channels include, for example, the per- 
sona! computer (PC) at home. Since many people only 
have one phone Sine into their home, deploying voice 
authentication may be cumbersome. However, a less 
so cumbersome method may be a camera based method, 
since people may have cameras for other purposes, 
such as videoteieconferencing. Otherchannels include, 
for example, laptop, personal digital assistant (PDA), 
public internet terminals, automated telier machines 
s$ (ATMs), vehicles, and the like. 

[0043] In terms of cost, there are a number of deter- 
minants of cost o! a biometric, including the cost of en- 
rollment, such as workstations, user time and monitor- 
ing, If supervised. Other cost factors include, for exam- 
30 pie, the cost of an access trial, such as user time, hard- 
ware and software and operations costs amortized over 
the number of verifications in the expected duration of 
the system, and the cost of storing the templates, such 
as the size of the template divided by cost of storage. 
3£ To illustrate an example of the range of costs, a speaker 
verification system can be deployed for a telephone net- 
work that costs approximately $5,000 per channel for a 
processor capable of performing up to 5 verifications a 
minute. If the system performs 300 verifications an hour, 
« 24 hours a day, 7 days a week,, 360 days a year, alter 3 
years when the system is presumed obsolete, the cost 
per verification is about 6 cents per hundred verifica- 
tions. 

[0044] On the other hand, to illuslrate another exam- 
45 pie of the range of costs, an iris scanner at a secure 
room portal might aiso cos! about $5,000, but traffic 
through the portal might only be 30 verifications an hour 
or iess, so the cost per verification for the iris scanner 
is proportionally greater than for speaker verification. As 
so for template size, a hand geometry unit requires only 9 
bytes of storage per template, whereas some fingerprint 
units and voice units require upwards of a kilobyte per 
template. Since memory costs on smart cards are not 
inexpensive, and the amount of time it takes to transfer 
ss the data off the card, in the case o1 matching template 
to signal off the card, is proportional to the size of the 
template, template size is an important consideration. 
[0045] In an embodiment ol the present invention, a 
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smart card parameter protocol mandates that certain in- 
formation fields 56 are stored on the card 62, in addition 
to the biometric sample 64 itself These information 
fields 56 include system identification and persona! da- 
ta, as well as a hashed data field, which is decoded by 
the system during the authentication process to certify 
the integrity of the information parameters. Fig. 6 is a 
table which iitustrates examples of the type of data 
stored on the smart card 62 for an embodiment of the 
present invention. 

[0046] Referring to Fig. 6, the content ol the first six 
fields includes, for example, method 70, vendor 72, re- 
lease 74, template 64, last updated 78, and first enrolled 
80. The method field 70 relates to the biometric technol- 
ogy employed, such as fingerprint. The vendor field 72 
identifies the particular vendor, such as SONY The re- 
lease field 74 specifies a release number, such as 1 ,0. 
The template field 64 is the particular template, and the 
Sast updated and first enrolled fields 78, 80 indicate 
dates. Referring further to Fig, 6, ihe hash value 82 is a 
value which is arrived at by hashing everything in the 
record. This can be transmitted elsewhere to authenti- 
cate the validity of the template 64. 
[0047] Another aspect of an embodiment of the 
present invention is that the card 82 aiso includes a 
probability look-up table 66 which quantifies the reader 
device performance histogram distribution into discrete 
levels of match score, such as 200, 300, 400, and so 
on, and assigns a corresponding probability factor to 
each level. Fig. 7 is a table which shows a sample prob- 
ability look-up table 66 for an embodiment of th e present 
invention. Referring to Fig. 7, the probability look-up ta- 
ble 66 includes an array of threshold values that are in- 
terpreted by the application 58. For example, for a False 
Accept Rate or FAR of less than 1 in 100, the match 
value between tie template 64 and the presented signal 
must be greater than 200. Alternatively, for a False Re- 
ject Rate or FRR of less than 1 in one million, athreshold 
value of 400 is used. This is done tor both FA 38 and 
FR40. 

[0048] In an embodiment ol the present invention, the 
system reader 68 is programmed with a desired PfFA) 
48 or P{FR) 44 rather than with a fixed threshold value. 
The system reader 68 is aiso programmed with an in- 
struction routine thai tells the system signal processor 
to took to the probability look-up table 66 on the card 62 
to determine the desired probability factor's correspond- 
ing FA 38 or FR 40 threshold match score to be used 
for authentication. This aspect reduces the cost of new 
system releases, since the application software may re- 
main Ihe same and only the cards have to be re-pro- 
grammed, instead of both the system and the cards as 
in the prior art. In addition, the cards may be pro- 
grammed lor personalized authentication, for example, 
at either a higher or lower security level, on an individual 
basis, instead of one value fits all. 
[0049] In an embodiment of the present invention, thB 
user 54 is authenticated through match scoring of a 



sample biometric obtained from the user by the biomet- 
ric reader device 68. Fig, 8 is a flow chart which provides 
further detail regarding the process of authenticating a 
user through match scoring of a sample biometric ob- 
s tained from the user by a biometric reader device for an 
embodiment of the present invention, At S1 , a biometric 
template 64 for the user 54 is stored in an application 
58 on a microprocessor 60 ol Ihe smart card 52, along 
with information fields 56, including system identification 
iq and personal data for the user. At S2, a look-up table 66 
based on a tabulation of performance histogram distri- 
bution of biometric reader device match scores lor false 
acceptance or FA 38 and false rejection or FR 40 into 
value ranges, with each value range identified by a 
is range limit value and each range limit value assigned a 
corresponding probability of occurrence value P(FA) 48 
and P(FR) 44, is also stored on the smart card applica- 
tion 58. 

[0050] Referring further to Fig. 8, at S3, She user 54 
20 presents the smart card 58, along with a new biometric 
sample lor the user, to the biometric reader device 68 
pre-programmed with a desired probability of occur- 
rence value and with an instruction set that commands 
the reader device to look to the look-up table 66 on the 
ss card 58 for the range limit value associated with the de- 
sired probab il iiy to be used for a uthentication of the user. 
At S4, ihe reader device 58 compares the new biometric 
sample for the user 54 with the user's biometric template 
64 stored on the smart card 62, identifies the range limit 
so value associated with the desired probability of occur- 
rence value, and authenticates fie user on the basis ol 
the identified range limit value. 
[0051 ] It is cl ear that the re is no 'one biometric fits al r 
for every application, nor is there one operating thresh- 
35 old that is appropriate for all applications. An embodi- 
ment of the present invention provides a flexible archi- 
tecture format 1or storing biometrics on smart cards that 
is independent of application or biometnc methodology 
or vendor, in an embodiment of the present invention, 
-*o threshold values are no longer 'hardwired' in a specific 
application to a specific method, vendor and specific re- 
lease. The same architecture applies no matter what the 
risk, vendor, biometric method or release. Thresholds 
and methods are determined, and probability density 
4S functions of various vendors, methods and releases a re 
derived in order to fill in the threshold values. Thus, an 
embodiment of the present invention supports different 
methods, vendors and releases, and allows for flexibility 
in application deployment. 
so [0052] Various preferred embodiments of the present 
invention have been described in fulfillment of the vari- 
ous objects ol the invention, it should be recognized thai 
Ihese embodiments are merely illustrative of the princi- 
ples oi the present invention. Numerous modifications 
and adaptations thereof will be readily apparent 1o those 
skilled in the art without departing from the spirit and 
scope of the present invention. Accordingly, the inven- 
tion is limited only by the following claims, 
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A method of authenticating a smart card user at a 
reader device, comprising: 

storing information fields for the user on the 
smart card relating to biometric information for 
the user and a table of predefined probability 
of occurrence values for user authentication; 
presenting the smarl card and a biometnc sam- 
ple for the user to the reader device; and 
automatically authenticating the user based at 
least in part on a match level between the 
stored biometric information and the pra$ented 
bio-metric sample according to a desired prob- 
ability ol occurrence value Irom the stored ta- 



2. The method of claim 1 , wherein storing the informa- 
tion fields relating to the biometric information for # 
the user further comprises storing a biometric tem- 
plate for the user. 

3. The method of claim 2, wherein storing the biomet- 
ric template further comprises storing at least one 2 
model o! biometric patterns for the user selected 
Irom a group of biometric patterns consisting of 
voice print, photograph, signature, fingerprint, hand 
geometry, retinal image, and iris scan. 

4. The method of claim 1 , wherein storing the informa- 
tion fields relating to the table of pre-defined prob- 
ability of occurrence values for user authentication 
further comprises automatically assigning a proba- 
bility of occurrence value to each of a plurality ol : 
pre-defined range limit values. 

5. The method of claim 4, wherein automatically as- 
signing the probability of occurrence values further 
comprises automatically identifying the range limit • 
values 1or each of a plurality of value ranges of bi- 
ometric reader device match scores. 

6. The method of claim 5, wherein automatically iden- 
tifying the range limit values further comprises au- 
tomatically tabulating a performance histogram dis- 
tribution of biometric reader device match scores for 
false acceptance of an impostor and false rejection 
of a valid user into the plurality of value ranges. 

7. The method of claim 6, wherein automatically tab- 
ulating the performance histogram distribution fur- 
ther comprises automatically quantifying the per- 
formance histogram distribution into discrete levels 
of the biometric reader device match scores. 

8. The method of claim 7, wherein automatically tab- 
ulating the performance histogram distribution fur- 



ther comprises automatically assigning the proba- 
bility of occurrence value for each ol the discrete 
levels of the biometric reader device match scores. 

9. The method of claim 1 , wherein storing the informa- 
tion fields further comprises storing personal data 
lor the user on the smart card. 

10. The method of claim f , wherein storing information 
fields further comprises storing information related 
to identification of a biometric system on the smart 
card. 

11. The method of claim 1 , wherein storing the informa- 
tion fields further comprises storing a hashed data 
field on the smart card, 

12. The method of claim 1 , wherein storing the informa- 
tion fields further comprises storing the information 

J fields in an application on the smart card. 

13. The method of claim 12, wherein storing the infor- 
mation fields in the application further comprises 
storing the information fields in an application on a 

s microprocessor ol the smart card. 

14. The method of claim 1, wherein presenting the 
smart card further comprises presenting the smart 
card to the reader device associated with a terminal. 

o 

15. The method of claim 14, wherein the terminal fur- 
ther comprises at least one of an area access ter- 
minal, a computer network terminal, a computer ac- 
cess terminal, a stored value terminal, a monetary 

is access terminal, a PBX terminal, a long distance 
terminal, a personal computer, a laptop computer, 
a persona] digital assistant, a public internet termi- 
nal, and an automated teller machine. 

w 16. The method of claim 1 , wherein presenting the bio- 
metric sample further comprises presenting the bi- 
ometric sample to the reads r device associated with 
a terminal. 

45 17. The method of claim 16, wherein the terminal fur- 
ther comprises at least one of an area access ter- 
minal, a computer network terminal, a computer ac- 
cess terminal, a stored value terminal, a monetary 
access terminal, a PBX terminal, a Song distance 

so terminal, a personai computer, a laptop computer, 
a personal digital assistant, a public internet termi- 
nal, and an automated feller machine. 

18. The method of claim 1 , wherein presenting the bio- 
£5 metric sample further comprises presenting at least 
one biometric sample selected from a group of bio- 
metric samples consisting of voice print, photo- 
graph, signature, fingerprint, hand geometry, retinal 
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image, and iris scan. 

19. The method of claim 1, wherein automatically au- 
thenticating further comprises pre-seleeting the de- 
sired probability of occurrence value. 

20. The method of claim 19, wherein pre-selecting the 
desired probability of occurrence valuefurther com- 
prises pre-defining a desired probability of occur- 
rence value for false acceptance of an impostor and 
false rejection of a valid user. 

21. The method of claim 20, wherein pre-defining the 
desired probability of occurrence value further com- 
prises pre-defining an instruction set directing the 
reader device \o took to the stored table of proba- 
bility oi occurrence values for a false acceptance of 
an impostor and false rejection of a valid user 
threshold match score corresponding to the desired 
probability of occurrence value. 

22. The method of claim 21 , wherein automatically au- 
thenticating further comprises automatically select- 
ing the faise acceptance of an impostor and false 
rejection of a valid user threshold match score, such 
that for a desired faise acceptance rate, a match 
vaiue between the stored biometric information and 
She biometric sample is at least a pre-determined 
Sevel, and for a desired false rejection rate, the 
match value is iess than a pre-determined level. 

23. The method of claim 1, wherein automatically au- 
thenticating further comprise automatically authen- 
ticating the user by an application associated with 
the reader device. 

24. The method of claim 23, wherein automatically au- 
thenticating further comprises automatically au- 
thenticating the user by an application residing at 
least in part on the reader device. 

25. The method o! claim 23, wherein automatically au- 
thenticating further comprising automatically au- 
thenticating the user by an application residing at 
least in part on alerminalassociated with the reader 
device. 

26. The method of claim 1, wherein automatically au- 
thenticating further comprises automatically au- 
thenticating the user by an application associated 
with Ihe smart card. 

27. The method of claim 26, wherein automatically au- 
thenticating further comprises automatically au- 
thenticating the user by an application residing at 
least in part on the smart card. 

25. A system for authenticating a smart card user at a 



reader device, comprising: 

means for storing information fields (or Ihe user 
on the smart card relating to biometric irtlorma- 
s lion for the user and a table of pre-defined prob- 

ability of occurrence values for user authenti- 
cation; 

means for preseniing the smart card and a bi- 
ometric sample tor the user to the reader de- 

io vice; 

means associated for automatically authenti- 
cating the user by the reader device based at 
least in part on a match Sevel between the 
stored biometric information and the presented 

15 biometric sample according to a desired prob- 

ability of occurrence value from the stored ta- 
ble. 

29. The system of claim 28, wherein the means for stor- 
sa ing the information fields further comprises an ap- 
plication on the smart card, 

30. The system of claim 29, wherein the application on 
trie smart card further comprises an application on 

ss a microprocessor of ihe smart card, 

31 . The system of claim 30, wherein Ihe means for pre- 
senting the smart card and the biometric sample fur- 
ther comprises a reader device associated with a 

30 terminal. 

32. The system of claim 31 , wherein the means tor pre- 
senting the smart card and the biometric sample fur- 
ther comprises an application associated with the 

35 reader device. 

33. The system of claim 32, wherein the terminal further 
comprises at least one of an area access terminal, 
a computer network terminal, a computer access 

40 terminal, a stored value terminal, a monetary ac- 
cess terminal, a PBX terminal, a long distance ter- 
minal, a persona! computer, a laptop computer, a 
personal digital assistant, a public interne! terminal, 
and an automated teller machine. 

4$ 

34. The system of claim 2B, wherein the means for au- 
tomatically authenticating the user further compris- 
es an application associated with the reader device, 

so 35. The system of claim 34, wherein the reader device 
is associated with a terminal. 

36. The system of claim 35, wherein the terminal further 
comprises at least one ot an area access terminal, 
ss a computer network terminal, a computer access 
terminal, a stored value terminal, a monetary ac- 
cess terminal, a computer access terminal, a stored 
value terminal, a monetary access terminal, a PBX 
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terminal, a long distance terminal, a persona! com- 
puter, a laptop computer, a personal digital assist- 
ant, a public internet terminal and an automated tall- 
er machine. 

37. The system of claim 28, wherein the means for au- 
tomatically authenticating lurther comprises an ap- 
plication associated with the smart card. 



EP 0 956 618 A1 



as 

[X] 



< 



(X, 

U 
O 



EP0 956 818 A1 




EP 0 956 818 A1 



fc: 

o 
U 



EP0 956 818 A1 




EP 0 956 818 A1 




W 

O 
to 



EP0 956B18 A1 



EP 0 956 818 A1 



< 



PQ 
< 
PQ 
O 



EP0956 B18A1 



2 



c 




0 








3 




for 




32 
















1 § 




11 




| & 




£ < 




C {g 




s <-> 








II 




















1 




o 




s 

















I'll 

« e g 

3 .2 c 

■8 w s 

§ = § 

& 3 s 
^ x* J2 

co 3 c2 

3 5 eg 

h £ s 

D ^8 



ill! 

W *2 oq fa 
■S §|U 

J § 1 

IS E = 

« c « !> 

b 



,2-5 3 



3 - g * -S K 

U y l <2 .s ? 



6 | tt . 

& ~ D tS 3 
« is I * -~ 

0 o &o i-J -S j= 

1 * .11 g < 

» Q ~ " - 



8b£ : 



5 'ills 

« -s § rt « c -° 

D 



y tap 



EP 0 956 818 A1 



European Patent 
Office 



EUROPEAN SEARCH REPORT 



Application Number 

EP 99 20 1446 



D OCUMENTS CONSIDERED TO BE RELEVANT 

CitaStors of document wift indication, where appropriate, 
of relsvarrt passages 

EP 0 612 035 A f INTERNATIONAL BUSINESS 
MACHINES CORPORATION } 
24 August 1994 (1994-08-24) 
page 1, line 49 - page 2, line 7 * 
page 5, line 35 - line 38 * 

GB 2 237 672 A ( DE LA RUE SYSTEMS LTD ) 
8 May 1991 (1991-05-08) 
page 2, line 8 - page 5, line 25 * 
page 9, line 23 - page 10, line 8 * 



W0 91 07729 A ( THE SECRETARY OF STATE FOR 
DEFENCE ET AL ) 30 May 1991 (1991-05-30) 

* page 1, line 4 - line 8 * 

* page 6, line 33 - page 8, line 33 * 

US 5 111 512 A { JASON CHIA-SL3N FAN ET AL) 
5 May 1992 (1992-05-05) 

* column 2, line 58 - column 5, line 2 * 



GB 2 248 513 A ( EHSIGdA LTD ET AL ) 
8 April 1992 (1992-04-08) 

* page 4, line 9 - line 20 * 

* page 8, line 32 - page 10, line 23 * 



W0 96 13800 A ( THE NATIONAL REGISTRY INC 
ET AL ) 9 «ay 1996 (1996-05-09) 



* psge 7, line 24 - line 28 * 

* page 12, line 26 ~ page 14, line 33 i 



1,18,19, 
28 

12-17 



1-3,18, 
28 

4-9, 
19-27, 
29,30, 
34-37 

1,4-8, 
19-25,28 



18-22 
1,28 



12-17 
128,34-36 



CttSSIFiCATKWDFTy 



A61B5/117 

G06K9/0Q 



SEARCHED {mat) 



A61B 
G06K 









THE HAGUE 


20 August 1999 


Qeffen, N 


CATSOOfW OF CITED DOCUMENTS T lhaory Of pjBlcipta und 
E : earler patent feuff* 


HJtsi?pU>Jah8S on, or 








p : iitsrmedfate documents 


docwnert ^ 



EP 0 956 818 A1 



European Psteni 
Office 



EUROPEAN SEARCH REPORT 



AppttaHlw Number 

EP 99 20 1446 



DOCUMENTS CONSIDERED TO Bi RELEVANT 



rs appropriate. 



"IDENTIFICATION AND VERIFICATION OF 
SIGNATURES'' 

IBM TECHNICAL DISCLOSURE BULLETIN, 

vol. 39, no. 6, 1 dune 1996 (1996-05-01), 

pages 93-97, XP0QG678532 

ISSN: 0018-8689 

* the whole document * 

L L LEE ET AL: "RELIABLE ON-LINE HlitfAN 
SIGNATURE VERIFICATION SYSTEM FOR 
POINT-OF-SALES APPLICATIONS" 
PROCEEDINGS OF THE TAPS INTERNATIONAL 
CONFERENCE ON PATTERN RECOGNITION, 
JERUSALEM, OCT, 9 - 13, 1994 CONFERENCE B: 
PATTERN RECOGNITION AND NEURAL NETWORKS, 
vol, 2, no. CONF, 12, 
9 October 1994 (1994-10-09), pages 19-23, 
XPO005O9875 

INSTITUTE OF ELECTRICAL AND ELECTRONICS 
ENGINEERSISBN: 0-3186-6272-7 
the whole document * 



1,12,13, 
26-30,37 



TECHNICAL RH.D9 




EP 0 956 818 A1 



ANNEX TO THE EUROPEAN SEARCH REPORT 

ON EUROPEAN PATENT APPLICATION NO. EP 99 20 1446 



This amsx lists She patsnt family members fBiathig to the patent documents aSetJ in \tm abwe-menloned Eurcpsan search 
The memhem are as contained in ths European Patent Office EDP file on 

The European Patent Office :s in no way liabie for these particulars which are rr-er eiy given For 9*i purpose of information 



Patent document 



EP 0612035 A 24-08-1994 
SB 2237672 A 08-05-1991 



G8 2237917 A 
US 5226091 A 



15-05-1991 
06-07-1993 



US 5111512 


A 


05-05-1992 


CA 


2066961 A,C 


15-11-1992 








DE 


69212890 D 


26-09-1996 








DE 


69212890 T 


02-01-1997 








EP 


0514082 A 


19-11-1992 








J? 


2699241 B 


19-01-1998 








3? 


6251130 A 


09-09-1994 


GB 2248513 


A 


08-04-1992 


AU 


665745 8 


18-01-1996 








AU 


8649691 A 


26-04-1992 








yo 


9206468 A 


16-04-1992 








us 


5526465 A 


11-06-1996 


W0 9613800 


A 


09-05-1996 


us 


5546471 A 


13-08-1996 








AU 


4230696 A 


23-05-1996 








US 


5920642 A 


06-07-1999 



I 

1 



£ For more details s&out ibis annex ; see Official Journal of the European Patent Office. No. 1£'P2 



